Counting Predicates of Conjunctive Complexity One

Yale University Department of Computer Science P.O. Box 208205 New Haven, CT 06520–8285

Counting Predicates of Conjunctive Complexity One Michael Fischer

Ren´e Peralta

YALEU/DCS/TR-1222 December 2001 Revised February 2002

This research was supported in part by NSF grant CCR–0081823.

Counting Predicates of Conjunctive Complexity One Michael Fischer [email protected]

1

Ren´e Peralta [email protected]

Introduction

The number of conjunctions necessary and sufficient to build a circuit for a Boolean function f : GF2n → GF2m over the basis (⊕, 1, ∧) is called the conjunctive complexity of f , denoted by C∧ (f ). The conjunctive complexity of functions is important to cryptographic applications. So-called “discreet proofs of knowledge” (of a secret x defined by a function f and a value f (x)) have length linear in C∧ (f ). (See [1, 2].) Another reason to study conjunctive complexity is that it provides an upper bound on the computational complexity of Boolean functions. If a function f has conjunctive complexity O(log(n)) then, for all x in the domain of f , an element of the pre-image of f (x) can be found in polynomial-time. This is because once the values of inputs to all conjunctions in a circuit are known, an input corresponding to a given output can be found using Gaussian elimination over GF2 . Thus, one-way functions (if they exist) have superlogarithmic conjunctive complexity. Functions with “low” conjunctive complexity may be invertible in practice via heuristics that search through feasible input values for conjunctions on the corresponding circuits. A Boolean predicate is a {0, 1}-valued Boolean function. In this note, we consider the question of how many predicates can be computed with only one conjunction (∧) and an ar2 bitrary number of exclusive-or (⊕) gates. It is known that there are at most 2k +2k+2kn+n+1 predicates on n bits which can be computed with k conjunctions [3]. For k = 1 this upper
n bound yields 16 · 23n . We show that the actual number of such predicates is exactly 2 23 for n ≥ 2.

2

Polynomials

To count the number of predicates with conjunctive complexity k, we establish a bijection between predicates and a class of polynomials, find the cardinality of that class, and apply Theorem 1. For this approach to work, we need a clear notion of polynomial and when two polynomials are considered to be distinct. Let x = x1 , . . . , xn be an n-tuple of variables. A monomial over x is an expression q = xk11 · . . . · xknn . A polynomial p over x with coefficients in GF2 is a linear combination of monomials over x. That is, p(x) =

t X

k1 =0

...

t X

ak1 ,...,kn xk11 · . . . · xknn ,

kn =0

This research was supported in part by NSF grant CCR–0081823.

1

3

CIRCUITS AND CONJUNCTIVE COMPLEXITY

2

where ak1 ,...,kn ∈ {0, 1}. We call ak1 ,...,kn xk11 · . . . · xknn a term of p if ak1 ,...,kn 6= 0. Two polynomials are equal if they have the same terms. Thus, x+x = 0 since x+x = 2x = 0x = 0 over GF2 . However x2 6= x since x and x2 are distinct monomials. p is the zero polynomial if it has no terms. The degree (resp. total degree) of a non-zero polynomial p is the largest integer t such that some term in p has degree (resp. total degree) t. The zero polynomial has degree 0. Each polynomial p over x represents a unique predicate fp : GF2n → GF2 defined by the usual polynomial evaluation rules over GF2 . That is, if u1 , . . . , un ∈ GF2 , then fp (u1 , . . . , un ) is obtained by replacing each xi in p by ui and then evaluating the resulting expression in GF2 . Thus, the polynomial x + y represents the addition predicate over GF2 , and x + 1 represents the Boolean negation predicate. Note that each predicate in general has many polynomial representations. For example, x and x2 both represent the identity function over GF2 . Polynomials p and q over x are equivalent over GF2 , written p ≡ q, if fp = fq . A polynomial is square-free if its degree is at most one, that is, no variable appears to a power higher than one. Because fx = fx2 over GF2 , it is easy to see that replacing all non-zero exponents in p with 1 results in an equivalent square-free polynomial. Hence, every Boolean predicate can be represented by a square-free polynomial. A simple counting n argument shows that there are exactly 22 square-free polynomials over x1 , . . . , xn and the same number of n-argument Boolean predicates. Hence, the mapping p 7→ fp is a bijection from square-free polynomials to Boolean predicates. In the rest of this paper, we will assume that all polynomials are square-free. Where there is no confusion, we will identify polynomials with the functions that they represent. A predicate f (x) is said to be positive (resp. negative) if f (0) = 0 (resp. f (0) = 1). Similarly, a polynomial p over GF2 is said to be positive (resp. negative) if the predicate fp is positive (resp. negative). Thus, a polynomial is positive if and only if it has no constant term. A polynomial p is linear if its total degree is at most 1. Note that a positive linear polynomial is just a sum of distinct variables. Let ν(p) be the set of variables appearing in p. Polynomials p and q are disjoint if ν(p) ∩ ν(q) = ∅.

3

Circuits and Conjunctive Complexity

A circuit C over the basis (⊕, 1, ∧) is a directed acyclic graph with designated output nodes y1 , . . . ym . Initial nodes are labeled by input variables x = x1 , . . . , xn or the constant basis element 1. Non-initial nodes, called gates, have in-degree 2 and are labeled by basis elements ⊕ or ∧. The number of ∧-gates in C is denoted by #∧ (C). A node u depends on a node v if there is a directed path from v to u in C. Each node v of C computes a Boolean predicate fv (x) in the usual way. We say that C computes the Boolean function fC , where fC (x) = (fy1 (x), . . . , fym (x)). The conjunctive complexity C∧ (f ) of f is the least integer k for which there is a circuit C with fC = f and #∧ (C) = k. For any natural number k, the set of predicates with conjunctive complexity k can be partitioned into positive and negative predicates. Both subsets have the same cardinality since the output of a circuit can be negated using a ⊕-gate whose other input is fixed to 1. This proves: Theorem 1 The number of predicates with conjunctive complexity k is exactly twice the number of positive such predicates.

3

CIRCUITS AND CONJUNCTIVE COMPLEXITY

3

A circuit C is constant-free if it has no nodes labeled by 1. Constant-free circuits obviously compute positive predicates. The following lemma shows that converting a circuit for a positive polynomial into an equivalent constant-free circuit does not increase the number of ∧-gates. Lemma 2 Let C be a circuit computing a positive predicate f (x). Then there is a constantfree circuit C 0 that also computes f , and #∧ (C 0 ) ≤ #∧ (C). Proof. We proceed by induction on k, the number of ∧-gates in C. If k = 0, then f is linear. Since f is positive, it can be represented by a positive linear polynomial. It is straightforward to construct a tree of ⊕ gates that computes f (x) without using constants. Now let #∧ (C) = k, and suppose the lemma holds for all circuits with k − 1 or fewer ∧-gates. Let γ be an initial ∧-gate of C, that is, an ∧-gate which does not depend on any other ∧-gate. We obtain two circuits G and H by “cutting” C at γ. G is the subgraph of C induced by γ and all nodes of C upon which γ depends. γ is the only output node in G. H is a copy of C except that the ∧-gate γ is changed to an input node y, and the incoming edges to γ are deleted. The output node of H is the same as that of C. Clearly, #∧ (G) = 1 and #∧ (H) = k − 1. Furthermore, the output of H on x is the same as the output of C on x when the new input y is supplied with the output of G on x. Thus, fC (x) = fH (x, fG (x)). Let α1 and α2 be the nodes of G which feed the two inputs of ∧-gate γ. We can write fαi = gi + ci , i = 1, 2, where gi is positive linear and ci ∈ {0, 1}. Then fG = (g1 + c1 )(g2 + c2 ) = g1 g2 + c1 g2 + c2 g1 + c1 c2

(1)

We consider two cases, depending on whether fG (0) is 0 or 1. Case 1: fG (0) = 0. Then c1 c2 = 0 and fG is positive linear, so we can easily construct a constant-free circuit G 0 with fG 0 = fG and #∧ (G 0 ) = 1. Also, fH (0, 0) = fH (0, fG (0)) = fC (0) = 0 since fC is positive, so fH (x, y) is also positive. By induction, there exists an equivalent constant-free circuit H0 with #∧ (H0 ) ≤ k − 1. Composing G 0 with H0 yields the desired constant-free circuit for fC (x).1 Case 2: fG (0) = 1. Then c1 c2 = 1 and fG + 1 is positive linear, so we can easily construct a constant-free circuit G 0 with fG 0 = fG + 1 and #∧ (G 0 ) = 1. Also, fH (0, 1) = fH (0, fG (0)) = fC (0) = 0 since fC is positive, so fH (x, y + 1) is also positive. By induction, there exists a constant-free circuit H0 such that fH0 (x, y) = fH (x, y + 1) and #∧ (H0 ) ≤ k − 1. Composing G 0 with H0 yields the desired constant-free circuit for fC (x). 2 We now define a special class of polynomials. We call the pair ({a, b, c}, d) a standard 3-form if a, b, c, d are positive linear polynomials, a, b, c are pairwise disjoint, and at most one of a, b, c is 0. We identify a standard 3-form with the polynomial p = ab + ac + bc + d. Note that p is square-free and positive. The correspondence between predicates with conjunctive complexity 1 and standard 3-form polynomials is given by the following lemmas. Lemma 3 Let p = ab + ac + bc + d be a standard 3-form. Then C∧ (fp ) = 1. Proof. Assume without loss of generality that a 6= 0 and b 6= 0. Over GF2 , we have p ≡ (a + c)(b + c) + c + d, so C∧ (fp ) ≤ 1. Let x ∈ ν(a) and y ∈ ν(b). By the disjointness To compose G 0 and H0 , take their disjoint union, merge together corresponding input nodes, and add an edge from the output of G 0 to input y of H0 . 1

4

THE NUMBER OF PREDICATES WITH CONJUNCTIVE COMPLEXITY 1

4

conditions, x 6= y, and neither x nor y occurs in c. Now, let p0 result from p by setting all other variables of p to 0. Clearly, p0 = xy, so C∧ (fp0 ) = 1. Furthermore, C∧ (fp0 ) ≤ C∧ (fp ) since any circuit for fp can be turned into a circuit for fp0 without increasing the number of ∧-gates. We conclude that C∧ (fp ) = 1 as claimed. 2 Lemma 4 Every positive predicate f with C∧ (f ) = 1 can be represented by a standard 3-form p. Proof. Let f be a positive predicate over n variables with C∧ (f ) = 1. By Lemma 2, there is a constant-free circuit C such that fC = f and #∧ (C) = 1. Let γ be the one ∧-gate in C. Because C is constant-free, the two inputs to γ can be represented by positive linear polynomials u and v respectively. Also, the computation of the final output from the inputs x and the output of the ∧-gate can be represented by a positive linear polynomial w0 over x and a new variable y. Clearly, u 6= v, u 6= 0, v 6= 0, and y ∈ ν(w0 ) or else the ∧-gate could be eliminated from C. Hence, w0 = w + y for some positive linear polynomial w. Let q = uv + w. Then by construction, f = fq . Now, let a, b, c be positive linear polynomials, where ν(a) = ν(u) − ν(v), ν(b) = ν(v) − ν(u), and ν(c) = ν(u) ∩ ν(v). Thus, u = a + c and v = b + c. Let d = w + c and let p = ab + ac + bc + d. Then p is a standard 3-form polynomial, and q = uv + w = (a + c)(b + c) + (c + d) = ab + ac + bc + c2 + c + d ≡ p. Hence, f = fq = fp as desired.

2

Lemma 5 Let ({a, b, c}, d) and ({a0 , b0 , c0 }, d0 ) be distinct standard 3-forms. Then the polynomials f = (ab + ac + bc) + d and g = (a0 b0 + a0 c0 + b0 c0 ) + d0 are distinct. Proof. Suppose, for a contradiction, that f and g are equal. Then d = d0 and ab + ac + bc = a0 b0 +a0 c0 +b0 c0 . Now, any homogeneous polynomial of total degree 2 is uniquely represented by a graph in which the nodes are the variables and there is an edge between x and y iff the term xy is present in the polynomial. Since a, b, c are pairwise disjoint, the graph for ab + ac + bc is a complete tripartite graph (or complete bipartite if one of the linear terms is 0). The same holds for a0 b0 + a0 c0 + b0 c0 . Since the polynomials are the same, the graphs are identical. Since the graphs are complete tripartite (bipartite), the partition into three (two) independent sets is unique, i.e., {a, b, c} = {a0 , b0 , c0 }. Thus ({a, b, c}, d) = ({a0 , b0 , c0 }, d0 ), contradiction. 2 From Lemmas 3–5, we immediately have: Theorem 6 There is a one-to-one correspondence between standard 3-forms and predicates of conjunctive complexity 1.

4

The number of predicates with conjunctive complexity 1

Theorem 6 allows us to count the predicates of conjunctive complexity 1 by counting the number of standard 3-forms: Theorem 7 The number of positive predicates over GF2n with conjunctive complexity 1 is
n 2 3 .

5

COUNTING PREDICATES WITH HIGHER CONJUNCTIVE COMPLEXITY

5

Proof. Let s be the number of distinct standard 3-forms ({a, b, c}, d). We count the number of ways of picking a, b, c, d. There are 2n ways of picking d. If t is the number of ways of picking a, b, c, then s = 2n · 3!t . To calculate t, we count the number of ways of assigning n distinct variables to four sets a, b, c, λ (λ is the set of variables not in a, b, or c) in such a way that at most one of a, b, c is empty. There are 4n assignments in all. We must subtract from this the number of assignments in which two or more of a, b, c are empty. Let A be the set of assignments in which a = ∅. Similarly define B and C. The set of interest is S = (A∩B)∪(A∩C)∪(B ∩C). Inclusion-exclusion and the symmetry of A, B, C gives |S| = 3|A∩B|−2|A∩B∩C| = 3·2n −2 since |A∩B| = 2n and |A∩B ∩C| = 1. Thus, t = 4n −|S| = 4n −3·2n +2 = (2n −1)(2n −2). Substituting back, we get 2n (2n − 1)(2n − 2) s= = 3!

2n 3

!

as claimed.

2

As mentioned earlier, the total number of predicates with conjunctive complexity 1 is twice the number of positive such predicates, yielding Theorem 8 The number of predicates over GF2n with conjunctive complexity 1 is 2

5

2n
3 .

Counting predicates with higher conjunctive complexity

It might seem to the reader that the techniques used in counting the number of predicates with conjunctive complexity one should extend to the general case of conjunctive complexity k. The following observations, based on a group-theoretic characterization of the predicate space,2 suggest this is likely to be hard. The relation f ∼ g iff f ⊕g is linear is an equivalence relation on the space of predicates. The members of any equivalence class have the same conjunctive complexity. The set of equivalence classes is a group under the operation ⊕ defined as follows: Let f1 , f2 be predicates in equivalence classes C1 , C2 , respectively. Let C3 be the equivalence class of f1 ⊕f2 , then we define C1 ⊕C2 = C3 . It is easy to verify that this operation is well-defined. The identity element of the group is the class of linear functions. Each equivalence class contains 2n+1 predicates. Since there n are 22 predicates altogether, the number of equivalence classes (i.e., the cardinality of the n group) is 22 /(2n+1 ) = 2m , where m = 2n − n − 1. Since each element is it’s own inverse, and the group is finite Abelian, the group must be (GF2 )m . Standard group theory then says that every subgroup must have cardinality a power of two. n
Thus, our results imply there are 2 23 /(2n+1 ) equivalence classes with conjunctive complexity one. For n = 3, this evaluates to seven. Call two predicates independent if they belong to different equivalence classes (i.e., if their sum is non-linear). It can be verified that the predicates shown in Fig. 1 are pairwise independent. Clearly, they all have conjunctive complexity one. One can also verify that these predicates, plus the 0 predicate, form a subgroup S of the group of equivalence classes. This means one cannot, in the case n = 3, construct a 2

We are not aware of this characterization having appeared in the literature.

6

ACKNOWLEDGMENTS

x1 x2

6

x1 x3

x2 x3

x3 (x1 ⊕x2 )

x1 (x2 ⊕x3 )

x2 (x1 ⊕x3 )

(x1 ⊕x2 )(x1 ⊕x3 )

Figure 1: Representatives of the seven complexity-1 equivalence classes on 3 inputs. predicate with complexity two by taking the ⊕ of two predicates with complexity one. This is quite unexpected, and the same does not hold for the space of predicates over four bits. 4
In that space, the number of equivalence classes with complexity one is 2 23 /(24+1 ) = 35. Since 36 is not a power of 2, the set of predicates with complexity ≤ 1 is not closed under ⊕. Returning to the case of n = 3, we note that T = S⊕{x1 x2 x3 } is a set of 8 pairwise independent predicates of conjunctive complexity more than one. Thus T +S contain 16 pairwise 3 independent predicates. Since the total number of equivalence classes is 22 /(23+1 ) = 16, T and S account for all equivalence classes. It is not hard to verify that all elements of T have conjunctive complexity two. For example, x1 x2 + x1 x3 + x2 x3 + x1 x2 x3 turns out to be equal to ((x1 + x2 )(x1 + x3 ) + x1 )(x1 + x2 + x3 + 1). We conclude that all predicates on three inputs have conjunctive complexity two or less. More specifically there are 16 linear predicates, 112 predicates with complexity one, and 128 predicates with complexity two. Obtaining such a detailed map of the complexity of predicates on more than three bits is likely to be much more difficult.

6

Acknowledgments

Dan Sharfman coded an algorithm to count the number of predicates over n variables of conjunctive complexity k. In practice, we can run this algorithm only on very small n and k. We ran Sharfman’s code for k = 1 and 2 ≤ n ≤ 5. The experiment led to the hypothesis proven in this note. Conversations on this and related topics with Shigenori Uchiyama and Zo¨e Diamadi are also gratefully acknowledged.

References [1] J. Boyar, I. Damg˚ ard, and R. Peralta. Short non-interactive cryptographic proofs. Journal of Cryptology, 13:449–472, 2000. [2] J. Boyar and R. Peralta. Short discreet proofs. In Advances in Cryptology - Proceedings of EUROCRYPT 96, volume 1070 of Lecture Notes in Computer Science, pages 131–142. Springer-Verlag, 1996. [3] J. Boyar, R. Peralta, and D. Pochuev. On the multiplicative complexity of boolean functions over the basis (∧, ⊕, 1). Theoretical Computer Science, 235:43–57, 2000.